Add dnssec-check-unsigned to example config file.

commit: 56618c31f62b0ed8af2c392071af0ca519c64b13 [log] [tgz]
author: Simon Kelley <simon@thekelleys.org.uk> Mon Mar 24 21:13:49 2014 +0000
committer: Simon Kelley <simon@thekelleys.org.uk> Mon Mar 24 21:13:49 2014 +0000
tree: fc3e2e64855d9c3c4c75b5a6ba35927a1ab0dcaa
parent: 604f7598c2265e334de05ed25d8e4e2a01de36cd [diff] [blame]
diff --git a/dnsmasq.conf.example b/dnsmasq.conf.example
index 4f2bcf3..206f4d1 100644
--- a/dnsmasq.conf.example
+++ b/dnsmasq.conf.example

@@ -25,6 +25,14 @@
 #conf-file=%%PREFIX%%/share/dnsmasq/trust-anchors.conf
 #dnssec
 
+# Replies which are not DNSSEC signed may be legitimate, because the domain
+# is unsigned, or may be forgeries. Setting this option tells dnsmasq to
+# check that an unsigned reply is OK, by finding a secure proof that a DS 
+# record somewhere between the root and the domain does not exist. 
+# The cost of setting this is that even queries in unsigned domains will need
+# one or more extra DNS queries to verify.
+#dnssec-check-unsigned
+
 # Uncomment this to filter useless windows-originated DNS requests
 # which can trigger dial-on-demand links needlessly.
 # Note that (amongst other things) this blocks all SRV requests,
commit	56618c31f62b0ed8af2c392071af0ca519c64b13	[log] [tgz]
author	Simon Kelley <simon@thekelleys.org.uk>	Mon Mar 24 21:13:49 2014 +0000
committer	Simon Kelley <simon@thekelleys.org.uk>	Mon Mar 24 21:13:49 2014 +0000
tree	fc3e2e64855d9c3c4c75b5a6ba35927a1ab0dcaa
parent	604f7598c2265e334de05ed25d8e4e2a01de36cd [diff] [blame]